Blog

Like everyone else, I have been so involved doing ingress filtering, that I have neglected egress filtering. To me, ingress filtering is easy: Block everything except what is absolutely necessary. Egress filtering is another animal. Everyone tells me I should do it, but no one tells me what I should be filtering for. Can you suggest a basic scheme for a small to medium business (SMB) to follow?

Great question! And you are most definitely correct in that the majority of guidance on firewalls focuses on how to limit traffic from un-trusted networks into trusted networks. Outbound traffic tends to be much trickier for several reasons like:

You have to do an analysis of your business critical applications and the traffic they pass to the internet

You need to have policies in place governing access

You should probably have some controls to prevent pesky users from going around your policies and rules

filter, by mason bryant

The first one is sometimes the hardest one to accomplish. Traffic analysis is easy if you have the right tools, but SMBs rarely do. You may need to resort to using your firewall to tell you exactly what is typical traffic for your business. I would not suggest just setting a Draconian policy and enforcing it immediately. That may break your business and create a negative perception of the IT department.

One way you could see your internet traffic is to set up a few rules that you can log against. Most modern SMB firewalls have some kind of logging capabilities, but if you are only using the router provided to you by your ISP, don’t be surprised if you cannot use this method.

Above your Internal->Any Permit rule, place a few rules for common outbound traffic. This would be UDP (and maybe TCP) port 53, and TCP ports 80 and 443. Don’t forget to include your mail ports (25, 587, 110, 143, 993, and 995), and any other commonly used ports by your staff. You can do all of these ports in one rule, and be sure to turn logging OFF for this rule. Assume these are OK and would end up in your egress permit list.

Next, create a rule for some ports that should be expressly denied. Those would be things like UDP 1434 and TCP 1433 (both commonly used to access a Microsoft SQL server) or TCP port 389 (LDAP). Neither of those should be used (with RARE exceptions). Set it up to deny and turn logging ON for that rule. Check your logs frequently to see if that particular rule triggers an event.

The finally, turn logging ON for your existing rule that permits all outbound traffic. Next, you need to play the waiting game. Once you have some logs, start combing through them to see what your coworkers are doing. My guess is that you will find a ton of instant messenger traffic, as well as the occasional Skype, SSH, or FTP session.

The next step is to review the traffic and figure out what you want to allow out as part of the risk of operating your business. You will need a corporate policy, a way to communicate it to your staff, and finally enforcement with top down buy-in. Make EVERYONE stick to the policy.

Adding more rules will add to your overhead, so be sure you account for that when rolling out this policy. Small businesses may not need an extra head, but medium sized ones might depending on the complexity and rate of change their business goes through.

Finally, for those looking for a list of common outbound ports and what they might be used for1, I’ve thrown a few together below. Please understand this is not an exhaustive list, and nearly every business will have a few missing especially if you have connections to other businesses that use the internet as a carrier (such as VPN).

TCP:

80/443: Web Traffic

20/21: FTP

22: SSH

25/587: Mail (limit this to your SMTP server)

53: Domain Transfer or DNS (again, limit to your trusted DNS server for the most part)

Remember, just because you allow port 443 through (SSL web traffic), that doesn’t mean that other things can’t use port 443 as their transport mechanism. I routinely make use of an SSL VPN that I have configured on port 443 for this very reason. [↩]

PLEASE only use the SSL version of this and the previous one. Your user’s credentials are exposed in the clear if you do not. [↩]